Cointime

Cointime

Download App
iOS & Android

Seven Key Cross-Chain Bridge Vulnerabilities Explained

Validated Project

While it’s undeniable that cross-chain is critical for unlocking exponential innovation in Web3, it also introduces a potential attack vector for malicious actors. In the software industry, many developers subscribe to the motto “move fast and break things.” But when it comes to cross-chain security and the safety of billions—and eventually trillions—in user funds, the opposite is true: If you move too fast, things break.

What Are Cross-Chain Bridges?

Cross-chain bridges are a type of decentralized application that facilitates the transfer of assets from one blockchain to another. 

Today, cross-chain bridges vary significantly in design and purpose. Some bridges, for example, are specifically built to facilitate transfers between a layer 2 and its respective base chain. General-purpose bridges, such as the ones built on top of Chainlink CCIP, are built to enable seamless asset and message transfers between a wide variety of blockchains. 

Cross-chain bridges are a core piece of Web3 infrastructure. For users, cross-chain bridges enable seamless movements of tokens and messages between chains. For developers, cross-chain protocols represent an opportunity to build chain-agnostic experiences that abstract away infrastructural complexities. And with 6B+ in monthly volume across all cross-chain bridges, it’s clear that cross-chain is a necessary—and widely adopted—part of the Web3 ecosystem.

That’s why if you’re a user, developer, or institution looking to go cross-chain, it’s imperative that you understand these seven key cross-chain bridge vulnerabilities to keep yourself, your users, and your stakeholders secure.  

1. Unsecure Private Key Management

Private keys—or a set of private keys—are often what manage a cross-chain bridge’s operations. The bridge operator or operators who individually hold a unique private key are tasked with coming to consensus and confirming the message or value being sent cross-chain by a user and delivering it accurately across chains. These messages are approved based on a digital signature, or a quorum of digital signatures, which are derived from the underlying private keys. 

Thus, private key compromises are one of the most common vulnerabilities for a cross-chain bridge, the culprit behind some of Web3’s most notorious cross-chain bridge hacks, often due to poor private key management or operational security practices. 

A general rule of thumb is that the more servers, infrastructure providers, locations, and operators, the more a cross-chain bridge and the private keys securing it are protected against single points of failure and centralization risks. 

Centralized networks are not only vulnerable to exploits, but enable centralized actors to unilaterally control all funds.

Decentralization helps mitigate centralization risks, which protects against the possibility of both internal and external attacks by requiring any malicious actor (even a bridge operator) to compromise the private key of multiple independent entities. It is a powerful form of security. However, it is only one consideration among many for secure private key management. Equally important are the security measures that bridge operators independently take to secure their private keys.

Best Practices

Decentralization is important for providing security against single points of failure, but private key security isn’t monolithic—the most secure cross-chain protocols combine the security that decentralization provides with time-tested methods of securing individual private keys. These include hardware security modules (HSMs), encryption (in transit, at rest), phishing education, access controls, key management services, and more.

Notable Real-World Cross-Chain Bridge Exploits Due to Compromised Private Keys

  • Ronin Bridge (March 2022)—Five out of nine private keys needed to facilitate, approve, and execute transactions on the Ronin Bridge multisig were compromised. 
  • Harmony Bridge (June 2022)—Two out of the five private keys needed to facilitate, approve, and execute transactions on the Harmony Bridge multisig were compromised.  
  • Multichain Bridge Hack (July 2023)—The cross-chain bridge’s compromised private keys, which led to unauthorized withdrawals, were all under the control of Multichain’s CEO.
  • Orbit Chain (January 2024)—Seven out of ten of the bridge’s multisig private keys were compromised, enabling attackers to drain funds.

2. Unaudited Smart Contracts

Because the primary function of cross-chain bridges is to move value from one blockchain to another, it’s inevitable that all cross-chain protocols must deal with smart contracts.

In the vast majority of cross-chain use cases, smart contracts on multiple chains are leveraged to power the minting, burning, locking, or unlocking of tokens as they move across chains. These smart contracts are connected through cross-chain bridges, often in collaboration with token issuers.

Smart contracts are both an additional line of defense against exploits and a technical risk when constructed incorrectly. On one hand, smart contracts provide a valuable avenue for cross-chain bridges to enforce various common sense security checks, such as ensuring that a user cannot withdraw more than they have deposited and rate limiting. On the other hand, poorly written and unaudited smart contract code can have the exact opposite effect: Malicious hackers have exploited flaws in smart contract code to hack enormous amounts from cross-chain bridges.

It’s impossible for any project—no matter how security-sensitive it is—to guarantee that there are no technical bugs in its smart contracts’ code. However, one of the most battle-tested methods of ensuring solid, exploit-resistant code is to work with external, experienced auditors to battle-test a codebase before it is deployed in production. This is not a one-and-done initiative—even the most well-constructed codebases immediately become untested if code is changed after an audit or if unaudited contracts are introduced to an audited codebase.

Best Practices

Smart contract risk is very real when using a cross-chain protocol. The most secure cross-chain bridges continuously put their codebase to the test multiple times across both private audits and competitive audits, as well as a variety of internal security testing such as fuzz testing, static analysis, formal verification, symbolic execution, and more.

Checking to see how many times the codebase has been audited, and by whom, serves as a reliable signal that the cross-chain bridge being used is protected against technical exploits. Additionally, layered security, such as enabling emergency pauses and updates, as well as implementing rate limits, can mitigate the impact of any smart contract bug.

Real-World Cross-Chain Bridge Exploits Due to Smart Contract Risk

  • Wormhole Bridge (February 2022)—The verification steps outlined in the bridge’s smart contract were exploited to mint 120,000 wETH on Solana without the appropriate collateralization. 
  • Nomad Bridge (August 2022)—A mistakenly implemented default accepted root (0x00) in the bridge’s smart contract enabled anyone to drain funds from the bridge. 
  • Binance Bridge (October 2022)—A flaw in the IAVL Merkle proof verification system, implemented within the bridge’s smart contract, was exploited. This resulted in 2M BNB being transferred from the bridge to the exploiter.
  • Socket Interoperability Protocol (January 2024)—A flaw in the protocol’s smart contracts affected wallets with infinite approvals to Socket’s smart contracts.  

3. Unsafe Upgradability Processes

Upgradability refers to the ability to update a smart contract’s code, or change certain parameter configurations within the contract’s code. 

Developers often use upgradable contracts to update their smart contracts in order to add new features, address contract logic errors, and modify key risk parameters. In the context of cross-chain bridges, this allows for the ability to add support for new tokens and blockchains, implement new methods of validating cross-chain messages based on new technologies, adjust key risk parameters like rate limits and node composition, as well as swiftly address any unforeseen logic errors in the underlying smart contracts. 

Upgradable contracts require developers to build proxy contracts that sit in between the end-user and frontend implementation and the underlying smart contract logic contract.

Upgradability is important in a security context because if the upgrade process is not secure, it can introduce a potential attack vector. Secure upgradability with cross-chain bridges means taking a defense-in-depth approach, which includes robust private key management with keys held by multiple independent entities, timelock delays to allow users to inspect on-chain changes before they take effect, as well as robust approval processes such as the ability for cross-chain bridge operators to veto changes proposed in the timelock. To account for situations where an upgrade needs to be applied swiftly, explicit approval can be provided by the bridge operators after reviewing the changes. 

Best Practices

Upgradability is key to staying adaptable and accounting for unknown unknowns, but the upgradability process can be another vulnerability for cross-chain protocols if implemented incorrectly. Timelock contracts and node-veto mechanisms are important tools for hardening the upgradability process, but secure cross-chain bridges must also balance the need to provide an alternative path during time-sensitive circumstances, all while maintaining the highest standards of security. 

4. Single Network Dependency

Some cross-chain bridges rely on a single network of validators for all bridging operations. While this may work for bridges purpose-built to facilitate transactions between two specific blockchains, it is not a secure or scalable solution for general-purpose bridges that aim to seamlessly connect the disparate multi-chain world we live in today.

The most important reason to avoid bridges with this architecture is the disproportionate impact a bridge hack or exploit would have on users. Because all of the cross-chain transactions and the value associated with them are facilitated by a single monolithic network, any successful breach would result in a wide and comprehensive exploit of the bridge across all blockchains—with little to no separated risk.

Leveraging multiple independent and decentralized networks segregates the risk of a single exploit causing loss of funds across all blockchains and users.

A more secure (and scalable) design is an independent, multi-network design, which means:

  • Cross-chain lanes are operated by an independent, decentralized network.  This means that there is an independent, decentralized network for each lane between blockchains (i.e., blockchain A to blockchain B is a single lane). This mitigates the risk that the impact of a single exploit will spread past its particular lane.
  • Each cross-chain lane is secured by multiple networks. As an additional level of redundancy, the most secure cross-chain bridges and protocols leverage multiple networks for each specific lane. This provides an extra layer of security for each cross-chain lane by requiring a malicious actor to compromise multiple networks simultaneously to successfully execute a hack or exploit.

Chainlink CCIP leverages multiple networks for a single cross-chain lane, making it the only cross-chain protocol to reach the fifth and highest level of cross-chain security.

Best Practices

Implementing multiple independent and decentralized networks for each cross-chain lane drastically reduces the attack surface and incentive for a malicious actor. Best-in-class implementations of this approach also include leveraging different coding languages for client diversity, separating responsibilities between networks with non-overlapping validator sets, and adding active risk management capabilities.

5. Unproven Validator Sets

The heart of any cross-chain bridge is its operators—the people and organizations responsible for maintaining the infrastructure that runs the cross-chain bridge’s operations.

Users, institutions, and dApp developers should be wary of unproven validator sets that lack the requisite experience and knowledge to securely and reliably operate a cross-chain bridge. A maximum-security cross-chain bridge requires world-class validator sets that all have extensive experience in operational security (OPSEC) to ensure proper private key management and reliable cross-chain transaction processing and execution.  

Chainlink nodes and the Chainlink oracle network are operated by world-class node operators.

The second point is largely overlooked by today’s users, devs, and institutions. A key risk for any cross-chain bridge user in regard to the underlying validator sets is that the validator set will not reliably execute transactions. For example, a user could lock up funds on one chain expecting a corresponding mint on another blockchain, but if the validator set is offline and does not approve the mint, it effectively freezes the user’s funds.

Best Practices

Cross-chain bridges should use only high-quality validators with a proven history of OPSEC experience, excellence, and rigor. Because OPSEC skills are not necessarily Web3-exclusive, this can include a variety of validators across both Web2 and Web3, but it’s always critical to verify the past performance of any cross-chain bridge validator. Additionally, adding economic security by requiring validators to put up collateral (stake) that is slashed in cases of misbehavior or unreliable operation can add additional incentives for validators to act honestly and reliably. 

6. No Active Transaction Monitoring

The goal of active transaction monitoring is to detect and react to anomalous behavior of a cross-chain bridge in real-time. When implemented properly, active transaction monitoring acts as a robust tool for detecting suspicious activity and immediately taking the necessary preventative measures to avoid a hack or exploit. 

A key example and use case for active transaction monitoring is for emergency pauses of the cross-chain system before executing suspicious transactions, or after a malicious transaction has bypassed the system, such as a successful request to withdraw a cross-chain bridge’s entire asset pool without the required collateral. 

Real-World Cross-Chain Bridge Exploits Due to No Active Transaction Monitoring

  • Ronin Bridge (March 2022)—According to Halborn Blockchain Security, the Ronin Bridge hack was detected six days after it happened, an important blind spot that could have been addressed by active transaction monitoring. 

Best Practices

Active transaction monitoring should generally be performed by a separate entity or network from the cross-chain bridge’s primary validator set. This helps separate responsibilities and creates a checks-and-balances situation that reduces the possibility that a malicious operator, or operator set, can manipulate the real-time responses active transaction monitoring may trigger.

7. Lack of Rate Limits

Rate limits are not a new idea. In traditional software, rate limits are a security measure used by websites to prevent denial-of-service (DOS) attacks and by data providers to stop an overwhelming number of API requests from shutting down their servers. 

The concept is quite simple: Limit the number of requests that can be made by both time and volume. What kind of requests? In the cross-chain world, rate limits put a cap on the amount of value that can be transferred between chains within a given time span

This simple security measure is a powerful last line of defense for a cross-chain bridge. Even in the event of a successful hack or exploit that evades every other security measure, rate limits put a limit on how much value can actually be extracted from the cross-chain bridge. 

Rate limits are like a small hole in a bucket of water—only a predefined amount of water can leave the bucket at a time.

Real-World Cross-Chain Bridge Exploits Due to Lack of Rack Limits

  • Every single bridge hack in which all of the value was stolen in a short time frame could have been mitigated by rate limits and an emergency halt functionality, assuming there were no logic errors in its implementation. 

Best Practices

Rate limits for assets should be determined on a per-lane basis for maximum security and modularity. Additionally, each lane should have an aggregate rate limit to limit the overall value that can be transferred on that lane across all assets. Implementing well-defined throughput rates (i.e., X tokens every 10 minutes max) can help prevent malicious actors from draining all assets within a bridge in a single transaction. “Refill rates” can also be applied to various cross-chain assets and lanes to avoid situations where malicious actors wait for a rate limit to reset to steal the maximum amount possible. 

Chainlink CCIP Provides Unmatched Cross-Chain Security

One key takeaway should be that cross-chain security is not as straightforward as implementing a single security measure. In reality, a robust cross-chain security design requires a defense-in-depth implementation that layers different security measures together to provide broad-spectrum protection against a hack or exploit.

The most secure cross-chain bridges employ defense-in-depth solutions that layer multiple security measures together.

That’s exactly how Chainlink CCIP—the industry-standard cross-chain solution—has been architected. 

Chainlink Chainlink $8.08
-2.15%
chainlink
Comments

All Comments

Recommended for you

  • SpaceX's Largest IPO Approaches, Space Stocks Surge, Momentus Up Over 24%

    On June 4, space stocks saw significant gains, with Momentus rising over 24%, Virgin Galactic up over 18%, Redwire increasing by over 17%, and York Space Systems gaining more than 7%. Boeing, GE Aerospace, and Rocket Lab also saw nearly 3% increases. In news, SpaceX disclosed in a filing submitted to the U.S. Securities and Exchange Commission (SEC) on Wednesday that it plans to set the offering price at $135 per share before officially launching the IPO roadshow, aiming to raise $75 billion. At this offering price, SpaceX's valuation would reach $1.77 trillion, making it the seventh-largest publicly traded company in the U.S., surpassing Tesla's current valuation of approximately $1.6 trillion. SpaceX plans to officially list on the Nasdaq stock exchange on June 12. In its lengthy prospectus, SpaceX anchors its total addressable market (TAM) at an unprecedented $28.5 trillion.

  • SpaceX Promotes IPO to Retail Investors with 17-Minute Video, Outlining Future Vision and Ambitious Goals

    On June 4, SpaceX launched an IPO promotion for retail investors through a video early Thursday morning. In this 17-minute video, Chief Financial Officer Bret Johnsen connected the company's rocket, satellite, and artificial intelligence businesses. This presentation is part of the company's efforts, led by Elon Musk, to attract ordinary investors globally. Media reports have indicated that these buyers are a key component of SpaceX's IPO strategy, with up to 30% of the $75 billion issuance allocated to such investors. Johnsen was the only person featured in the video, where he introduced himself as the company's first and only CFO. The video is available on the company's website, spacexipo.com, which prominently encourages visitors to open brokerage accounts. Johnsen stated, 'Elon founded SpaceX with the goal of changing humanity and making us a multi-planetary species. It is incredibly exciting that we have already been able to expand this vision through the Starlink constellation and our AI solutions.' The roadshow outlined several future goals but did not specify timelines for achieving them, including increasing gross margins from last year's 49% to around 70% and achieving a net profit margin of approximately 45%, compared to last year's negative 26%. The company also outlined grand ambitions in the video, including sending data centers into space. The video further detailed its operations, including reusable rockets and the Starlink satellite system providing broadband internet access to Earth.

  • BTC Surpasses $64,000

    Market data shows that BTC has surpassed $64,000, currently priced at $64,033.43, with a 24-hour decline of 4.37%. The market is experiencing significant volatility, so please ensure proper risk management.

  • Nasdaq Golden Dragon China Index Rises Over 0.5%

    On June 4, the Nasdaq Golden Dragon China Index rose over 0.5%. Daqo New Energy increased by 6.94%, Niu Technologies rose by 6.25%, Tencent Music grew by 3.99%, Yikatong Technology climbed by 3.76%, and Bilibili saw an increase of 3.47%.

  • Philadelphia Semiconductor Index Falls Over 4%, Broadcom Drops Over 14% Leading the Sector

    On June 4, the Philadelphia Semiconductor Index fell over 4%, with Broadcom experiencing a significant drop of over 14%, leading the decline in the U.S. semiconductor sector. Arm and Micron Technology both fell over 6%, while AMD and Marvell Technology dropped over 5%. ON Semiconductor fell over 4%, and Qualcomm, Applied Materials, and GlobalFoundries each declined over 3%. Intel, Analog Devices, and ASML saw declines of over 2%. In terms of news, Broadcom reported total revenue of $22.187 billion for Q2 of fiscal year 2026, a year-on-year increase of 48%, with AI revenue reaching $10.8 billion, up 145%, both exceeding market expectations. Looking ahead to the third fiscal quarter, the company expects AI revenue to reach $16 billion, a quarter-on-quarter increase of 48% and a year-on-year increase of 210%. Citigroup analysts pointed out that the $16 billion AI revenue guidance is below their expected $17.5 billion and also below the market consensus expectation of $16.3 billion. Meanwhile, Broadcom's CEO merely reaffirmed the existing target of 'over $100 billion' in AI revenue for fiscal year 2027 without any enhancements, which directly triggered market disappointment.

  • Micron Technology Stock Price Falls Below $1000

    On June 4, Micron Technology's stock price dropped by 7.61%, closing at $997.40 per share, with a total market capitalization of $1.12 trillion.

  • Nasdaq Opens Over 1% Lower, Broadcom Drops Over 14% After Earnings

    On June 4, U.S. stock markets opened with mixed results. The Nasdaq fell by 1.02%, the S&P 500 dropped by 0.34%, while the Dow Jones rose by 0.97%. Broadcom saw a significant drop of over 14%, with its third-quarter AI revenue guidance set at $16 billion, a 210% year-on-year increase, which still fell short of market expectations. CrowdStrike also declined by over 9%, as its second-quarter earnings guidance did not 'impress the market,' with analysts noting that recent stock prices have already fully reflected the positive outlook.

  • Spot Silver Reaches $75/Ounce, Up 3.16% for the Day

    Spot silver has reached $75 per ounce, increasing by 3.16% during the day.

  • Blackstone's Flagship Private Credit Fund Limits Investor Redemptions for the First Time

    On June 4, Blackstone Group (BX.N) implemented restrictions on redemption requests for its flagship private credit fund after investors sought to redeem 10% of their shares. This marks the fund's first limitation on redemption applications, making it the latest fund to tighten redemption limits amid a wave of investor withdrawals. According to documents submitted on Thursday, the $79 billion Blackstone private credit fund has informed shareholders that it will only fulfill 5% of redemption requests. In the previous quarter, the fund allowed investors to redeem a record 7.9% of shares, aided by executives using their own funds to assist with financing. Jim Zelter, Co-President of Apollo Global Management, stated that following the previous redemption restrictions, investors are intensifying their efforts to reclaim funds, suggesting that there may be more 'turmoil' in the non-traded BDC (business development company) sector.

  • U.S. Initial Jobless Claims for Week Ending May 30 at 225,000

    The number of initial jobless claims in the U.S. for the week ending May 30 was 225,000, compared to an expectation of 213,000. The previous value was revised from 215,000 to 212,000.

Daily Must-Read

Popular Activities

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

RaveDAO at Terra Solis by Tomorrowland: A Female-Led Techno Night Where Web3 Culture Converges

April 30 - April 30
Dubai

Popular Tags

Cointime
News
Contents
RSS
Company